Comment by bawolff
Two things
Saml itself is sort of a kitchen sink. It includes everything you could possibly ever want, but nobody implements all of it so you need to figure out common subset, which defeats the point of a standard.
Second, XMLSignature sucks... like badly. Only part of the response is signed, but which part there is no standard on. It is way too complicated. Why have multiple overlapping signatures is crazy. Comments arent signed but change meaning of document. A billion signature types. Etc.
XML signatures in SAML suck so much they deserve to be your point one. For functionality at least it's possible to just poke around and see what works with whatever party your connecting, but debugging broken signing? With XML signatures it is possible to have it all working with one provider (perhaps a Windows machine running ADFS) and then be unable to verify the signatures from another, and you'll never know where the fault lies.
At least with modern stuff like JWT's the ways to encrypt and sign are well-understood.